Channels

Services

Daniel Bachfeld

Dangers from the Twilight Zone

Alternate Data Streams can still be hiding places
for malware

Microsoft's NTFS file system supports
Alternate Data Streams to store additional information
about a file. Malware can lurk in such
streams. Nonetheless, a year and a half after the first
ADS test of 18 virus scanners still not all of
them reliably detect malware in ADS.

In October of 2004, heise Security Germany conducted a
test to see which virus scanners detect contaminants in
Alternate Data Streams (ADS) [1]. Since Windows NT 3.51, the NT
file system (NTFS) developed by Microsoft has supported
ADS. The operating system does so to store additional
information about a file, such as the ZoneIDs
introduced with Service Pack 2 that mark files as
coming from the Internet. Windows applications have also, for example, long used such streams to save thumbnails for
previews.

And yet, such streams cannot be displayed either with
the DOS command dir or with Windows
Explorer. All you can see is the file; the stream is
basically invisible. Even if a user or an application
writes several megabytes into the stream, the size of
the file remains unchanged. An ADS can even be
connected to a directory. In other words, streams are
an excellent way of hiding data, which viruses and
trojan horses already exploit.

In the 2004 test of 18 products five failed both in
the on-demand scan and in on-access recognition. Only
five of the virus monitors provided reliable protection
from malicous code written into the stream and detected
it both on demand and on access. A year and a half
later, more and more contaminants are hiding in
streams, such as the current worm Mailbot. In particular, Windows
rootkits are becoming increasingly common, which makes
it more and more important to find and eliminate
dangerous data in ADS. Time for us to update our
overview.

Second stage

We did this test in cooperation with AV-Test and checked recent versions
of the 18 scanners tested last time for their abilitity
to detect malware in ADS. While we found that more
products now detect viruses in streams, there is still
one complete failure: F-Prot still does not look at
streams at all. Nine products detect viruses in ADS
both on demand and on access, one of which is Symantec,
whose scanner failed completely in the ADS test in
2004. Trend Micro has also improved. Though its scanner
was able to scan ADS on demand in earlier versions in
principle, this option had to be activated first via a
registry key. In the current version 2006, the scanner
at least searches streams for malware on access without
being prompted.

BitDefender also searches for viruses in ADS on access,
but the scanner does not find anything on demand. The
virus utilities of Ikarus do it the other way round:
The product detects malware in ADS on demand, but not
on access. We were a bit surprised this time by Norman
Virus Control, which offered complete protection in
2004 but now only monitors your computer on access. The
vendor had not responded to our query on this matter by
the time we went online. Also see the table at the end of the article
for the complete results.

Conclusions

Most vendors have done their homework and now provide
protection against viruses in ADS, though sometimes
only on access. At present, Antivir 7, AntiVirenKit
2006, Anti-Virus 2006, Dr.Web, EZ Antivirus, Kaspersky
AV Personal, McAfee Viruscan, NOD32 and Norton
Antivirus 2006 have mastered both disciplines. The
virus utilities of Ikarus and F-Prot cannot, however,
be recommended because neither provide protection from
ADS malware in real-time. According to the vendor, the
upcoming version 4.0 of F-Prot will have remedied this
drawback. (dab)